CVE-2025-38392

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38392
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38392.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38392
Downstream
Related
Published
2025-07-25T13:15:28Z
Modified
2025-07-25T16:45:58.046814Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

idpf: convert control queue mutex to a spinlock

With VIRTCHNL2CAPMACFILTER enabled, the following warning is generated on module load:

[ 324.701677] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578 [ 324.701684] inatomic(): 1, irqsdisabled(): 0, nonblock: 0, pid: 1582, name: NetworkManager [ 324.701689] preemptcount: 201, expected: 0 [ 324.701693] RCU nest depth: 0, expected: 0 [ 324.701697] 2 locks held by NetworkManager/1582: [ 324.701702] #0: ffffffff9f7be770 (rtnlmutex){....}-{3:3}, at: rtnlnewlink+0x791/0x21e0 [ 324.701730] #1: ff1100216c380368 (xmitETHER){....}-{2:2}, at: devopen+0x3f0/0x870 [ 324.701749] Preemption disabled at: [ 324.701752] [<ffffffff9cd23b9d>] _devopen+0x3dd/0x870 [ 324.701765] CPU: 30 UID: 0 PID: 1582 Comm: NetworkManager Not tainted 6.15.0-rc5+ #2 PREEMPT(voluntary) [ 324.701771] Hardware name: Intel Corporation M50FCP2SBSTD/M50FCP2SBSTD, BIOS SE5C741.86B.01.01.0001.2211140926 11/14/2022 [ 324.701774] Call Trace: [ 324.701777] <TASK> [ 324.701779] dumpstacklvl+0x5d/0x80 [ 324.701788] ? _devopen+0x3dd/0x870 [ 324.701793] _mightresched.cold+0x1ef/0x23d <..> [ 324.701818] _mutexlock+0x113/0x1b80 <..> [ 324.701917] idpfctlqcleansq+0xad/0x4b0 [idpf] [ 324.701935] ? kasansavetrack+0x14/0x30 [ 324.701941] idpfmbclean+0x143/0x380 [idpf] <..> [ 324.701991] idpfsendmbmsg+0x111/0x720 [idpf] [ 324.702009] idpfvcxnexec+0x4cc/0x990 [idpf] [ 324.702021] ? rcuiswatching+0x12/0xc0 [ 324.702035] idpfadddelmacfilters+0x3ed/0xb50 [idpf] <..> [ 324.702122] _hwaddrsyncdev+0x1cf/0x300 [ 324.702126] ? findheldlock+0x32/0x90 [ 324.702134] idpfsetrxmode+0x317/0x390 [idpf] [ 324.702152] _devopen+0x3f8/0x870 [ 324.702159] ? _pfxdevopen+0x10/0x10 [ 324.702174] _devchangeflags+0x443/0x650 <..> [ 324.702208] netifchangeflags+0x80/0x160 [ 324.702218] dosetlink.isra.0+0x16a0/0x3960 <..> [ 324.702349] rtnl_newlink+0x12fd/0x21e0

The sequence is as follows: rtnlnewlink()-> _devchangeflags()-> _devopen()-> devsetrxmode() - > # disables BH and grabs "dev->addrlistlock" idpfsetrxmode() -> # proceed only if VIRTCHNL2CAPMACFILTER is ON _devucsync() -> idpfaddmacfilter -> idpfadddelmacfilters -> idpfsendmbmsg() -> idpfmbclean() -> idpfctlqcleansq() # mutexlock(cqlock)

Fix by converting cq_lock to a spinlock. All operations under the new lock are safe except freeing the DMA memory, which may use vunmap(). Fix by requesting a contiguous physical memory for the DMA mapping.

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.37-1

Affected versions

6.*

6.12.35-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}